name: Backport

on:
  # NOTE(negz): This is a risky target, but we run this action only when and if
  # a PR is closed, then filter down to specifically merged PRs. We also don't
  # invoke any scripts, etc from within the repo. I believe the fact that we'll
  # be able to review PRs before this runs makes this fairly safe.
  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
  pull_request_target:
    types: [closed]
  # See also commands.yml for the /backport triggered variant of this workflow.

jobs:
  # NOTE(negz): I tested many backport GitHub actions before landing on this
  # one. Many do not support merge commits, or do not support pull requests with
  # more than one commit. This one does. It also handily links backport PRs with
  # new PRs, and provides commentary and instructions when it can't backport.
  # The main gotchas with this action are that it _only_ supports merge commits,
  # and that PRs _must_ be labelled before they're merged to trigger a backport.
  open-pr:
    runs-on: ubuntu-22.04
    if: github.event.pull_request.merged
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
        with:
          fetch-depth: 0

      - name: Open Backport PR
        uses: zeebe-io/backport-action@e8161d6a0dbfa2651b7daa76cbb75bc7c925bbf3 # v2.4.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
          version: v0.0.4
